Chris PeBenito
9f99cfb771
Network daemon patches from Russell Coker.
2017-02-25 11:20:19 -05:00
Chris PeBenito
cb35cd587f
Little misc patches from Russell Coker.
2017-02-18 09:39:01 -05:00
Chris PeBenito
1720e109a3
Sort capabilities permissions from Russell Coker.
2017-02-15 18:47:33 -05:00
Chris PeBenito
69da46ae18
usrmerge FC fixes from Russell Coker.
2017-02-07 18:51:58 -05:00
Chris PeBenito
2e7553db63
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
2017-02-04 15:19:35 -05:00
Chris PeBenito
69ede859e8
Bump module versions for release.
2017-02-04 13:30:53 -05:00
Chris PeBenito
67c435f1fc
Module version bump for fc updates from Nicolas Iooss.
2016-12-28 14:38:05 -05:00
Chris PeBenito
f850ec37df
Module version bumps for /run fc changes from cgzones.
2016-12-22 15:54:46 -05:00
Chris PeBenito
16b7b5573b
Module version bumps for patches from cgzones.
2016-12-04 13:30:54 -05:00
cgzones
598700325b
allow dhcp_t to domtrans into avahi
...
#============= dhcpc_t ==============
# audit(1459860992.664:6):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute_no_trans"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.830761]
# audit: type=1400 audit(1459860992.664:6): avc: denied { execute_no_trans }
# for pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
# ino=140521 scontext=system_u:system_r:dhcpc_t:s0
# tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1454514879.616:134):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute_no_trans"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237496]
# audit: type=1400 audit(1454514879.616:134): avc: denied { execute_no_trans
# } for pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd"
# dev="sda1" ino=140521 scontext=system_u:system_r:dhcpc_t
# tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 "
allow dhcpc_t avahi_exec_t:file execute_no_trans;
# audit(1459860992.660:4):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.827312]
# audit: type=1400 audit(1459860992.660:4): avc: denied { execute } for
# pid=412 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521
# scontext=system_u:system_r:dhcpc_t:s0
# tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1459860992.664:5):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="{ read open }"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.829009]
# audit: type=1400 audit(1459860992.664:5): avc: denied { read open } for
# pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
# ino=140521 scontext=system_u:system_r:dhcpc_t:s0
# tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1454514879.616:132):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237297]
# audit: type=1400 audit(1454514879.616:132): avc: denied { execute } for
# pid=464 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521
# scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:avahi_exec_t
# tclass=file permissive=1 "
# audit(1454514879.616:133):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="{ read open }"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237309]
# audit: type=1400 audit(1454514879.616:133): avc: denied { read open } for
# pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
# ino=140521 scontext=system_u:system_r:dhcpc_t
# tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 "
#!!!! This avc is allowed in the current policy
allow dhcpc_t avahi_exec_t:file { read execute open };
2016-12-04 17:34:11 +01:00
Chris PeBenito
34055cae87
Bump module versions for release.
2016-10-23 16:58:59 -04:00
Chris PeBenito
187019a615
Module version bump for various patches from Guido Trentalancia.
2016-08-14 14:58:57 -04:00
Chris PeBenito
19b84c95b1
Remove redundant libs_read_lib_files() for ifconfig_t.
2016-08-14 14:52:32 -04:00
Chris PeBenito
6caa443d18
Ifconfig should be able to read firmware files in /lib (i.e. some network
...
cards need to load their firmware) and it should not audit attempts
to load kernel modules directly.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-14 14:52:07 -04:00
Chris PeBenito
5481c1cc84
Update the sysnetwork module to add some permissions needed by
...
the dhcp client (another separate patch makes changes to the
ifconfig part).
Create auxiliary interfaces in the ntp module.
The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.
Include revisions from Chris PeBenito.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-14 14:51:42 -04:00
Chris PeBenito
c23353bcd8
Bump module versions for release.
2015-12-08 09:53:02 -05:00
Chris PeBenito
17694adc7b
Module version bump for systemd additions.
2015-10-23 14:53:14 -04:00
Chris PeBenito
579849912d
Add supporting rules for domains tightly-coupled with systemd.
2015-10-23 10:17:46 -04:00
Chris PeBenito
a38c3be208
Module version bump for updated netlink sockets from Stephen Smalley
2015-05-22 08:38:53 -04:00
Stephen Smalley
58b3029576
Update netlink socket classes.
...
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.
Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.
Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed. Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes. For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-22 08:29:03 -04:00
Chris PeBenito
fd0c07c8b3
Module version bump for optional else block removal from Steve Lawrence.
2015-01-12 08:45:58 -05:00
Steve Lawrence
4bd0277313
Remove optional else block for dhcp ping
...
Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-01-12 08:44:39 -05:00
Chris PeBenito
468185f5f7
Bump module versions for release.
2014-12-03 13:37:38 -05:00
Chris PeBenito
8a3a8c7e1b
Module version bump for /sbin/iw support from Nicolas Iooss.
2014-10-23 08:51:53 -04:00
Chris PeBenito
0820cfe75d
Add comment for iw generic netlink socket usage
2014-10-23 08:50:18 -04:00
Nicolas Iooss
5fb1249f37
Use create_netlink_socket_perms when allowing netlink socket creation
...
create_netlink_socket_perms is defined as:
{ create_socket_perms nlmsg_read nlmsg_write }
This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.
Clean up things without allowing anything new.
2014-10-23 08:07:44 -04:00
Nicolas Iooss
d6af57e5e7
Allow iw to create generic netlink sockets
...
iw uses generic netlink socket to configure WiFi properties. For
example, "strace iw dev wlan0 set power_save on" outputs:
socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0
Some AVC denials are reported in audit.log:
type=AVC msg=audit(1408829044.820:486): avc: denied { create } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:487): avc: denied { setopt } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:488): avc: denied { bind } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:489): avc: denied { getattr }
for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:490): avc: denied { write } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
Allowing ifconfig_t to create generic netlink sockets fixes this.
(On a side note, the AVC denials were caused by TLP, a tool which
applies "laptop configuration" when switching between AC and battery
with the help of a udev script)
2014-10-23 08:07:44 -04:00
Chris PeBenito
491683b3e2
Module version bump for init_daemon_pid_file from Sven Vermeulen.
2014-06-30 14:34:51 -04:00
Sven Vermeulen
4a94489be7
Use init_daemon_pid_file instead of init_daemon_run_dir
...
Update non-contrib modules to use init_daemon_pid_file instead of
init_daemon_run_dir.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-06-26 08:34:27 -04:00
Chris PeBenito
84f2b380cf
Module version bump for ifconfig fc entry from Sven Vermeulen.
2014-05-27 09:08:12 -04:00
Chris PeBenito
10ff4d0fa3
Bump module versions for release.
2014-03-11 08:16:57 -04:00
Chris PeBenito
3208ff94c4
Module version bump for second lot of patches from Dominick Grift.
2013-12-03 13:03:35 -05:00
Dominick Grift
521bbf8586
These { read write } tty_device_t chr files on boot up in Debian
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:39:21 -05:00
Chris PeBenito
1a01976fc4
Module version bump for first batch of patches from Dominick Grift.
2013-12-02 14:22:29 -05:00
Dominick Grift
012f1b2311
sysbnetwork: dhclient searches /var/lib/ntp
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:32 -05:00
Dominick Grift
6c19504654
sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:32 -05:00
Chris PeBenito
eb4512f6eb
Module version bump for dhcpc fixes from Dominick Grift.
2013-09-27 17:15:22 -04:00
Chris PeBenito
f0e0066a7b
Reorder dhcpc additions.
2013-09-27 17:15:02 -04:00
Dominick Grift
b1599e01fe
sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not audit attempts by ifconfig to read, and write dhcpc udp sockets (looks like a leaked fd)
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 17:13:12 -04:00
Chris PeBenito
cf905e8ef1
Module version bumps for dhcpc leaked fds to hostname.
2013-09-27 15:55:52 -04:00
Chris PeBenito
f0ad29f609
Module version bump for debian ifstate changes from Dominick Grift.
2013-09-27 14:42:47 -04:00
Dominick Grift
ac5d072465
sysnetwork: Debian stores network interface configuration in /run/network (ifstate), That directory is created by the /etc/init.d/networking script.
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 14:39:29 -04:00
Chris PeBenito
55ac5a503d
Module version bump for ethtool reading pm-powersave.lock from Dominick Grift.
2013-09-26 09:14:07 -04:00
Dominick Grift
7c6ba1570e
sysnetwork: ethtool reads /run/pm-utils/locks/pm-powersave.lock
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 08:57:19 -04:00
Chris PeBenito
d174521a64
Bump module versions for release.
2013-04-24 16:14:52 -04:00
Chris PeBenito
be2e70be8d
Module version bump for fixes from Dominick Grift.
2013-01-03 10:53:34 -05:00
Chris PeBenito
104456aa17
Module version bump for interfaces used by virt from Dominick Grift.
2012-10-30 14:17:25 -04:00
Chris PeBenito
a2cc003740
Module version bump for minor logging and sysnet changes from Sven Vermeulen.
2012-10-30 13:39:46 -04:00
Sven Vermeulen
7ed91bfafd
Support flushing routing cache
...
To flush the routing cache, ifconfig_t (through the "ip" command) requires
sys_admin capability. If not:
~# ip route flush cache
Cannot flush routing cache
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-10-30 13:28:02 -04:00
Chris PeBenito
e4f0112175
Module version bump for dhcp6 ports, from Russell Coker.
2012-10-19 08:39:02 -04:00
Russell Coker
f9bee5a60b
Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for client control
...
Client control is used by the wide dhcp6 client, which can be controlled
via dhcp6ctl. This works by communicating over port 5546.
2012-10-19 08:19:28 -04:00
Chris PeBenito
afdb509245
Module version bump for changes from Dominick Grift and Sven Vermeulen.
2012-10-09 11:01:42 -04:00
Dominick Grift
4ea2bc7eba
Changes to the sysnetwork policy module
...
dhcpc is a dbus_system_domain()
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-09 10:18:36 -04:00
Chris PeBenito
0a6013cd4f
Module version bump for /run/dhcpc directory creation by dhcp from Sven Vermeulen.
2012-08-21 15:25:13 -04:00
Sven Vermeulen
452942ca99
DHCP client's hooks create /run/dhcpc directory
...
This directory contains the working files for updating network-related files
(like resolv.conf for name servers) before they are copied to the fixed
location. Although already in use previously, this location (/var/run/dhcpc or
/var/run/dhcpcd) was statically defined on the system.
With the introduction of /run and systems having /var/run -> /run, this is now a
dynamically created directory by dhcpc_t. Hence, the policy is enhanced allowing
dhcpc_t to create dhcpc_var_run_t directories, and include a file transition for
directories created in the var_run_t location(s).
Changes since v1
----------------
- Use create_dirs_pattern instead of manage_dirs_pattern
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-08-21 15:07:47 -04:00
Chris PeBenito
3516535aa6
Bump module versions for release.
2012-07-25 14:33:06 -04:00
Chris PeBenito
4f24b1841c
Add optional name for kernel and system filetrans interfaces.
2012-05-10 09:53:45 -04:00
Chris PeBenito
9e56720a39
Module version bump and changelog for various dontaudits from Sven Vermenulen.
2012-04-20 16:06:54 -04:00
Chris PeBenito
f65edd8280
Bump module versions for release.
2012-02-15 14:32:45 -05:00
Chris PeBenito
3cbb3701cd
Module version bumps for debian fc patch from Russell Coker.
2011-11-16 15:31:48 -05:00
Chris PeBenito
7d6b1e5889
Module version bump and changelog for role attributes usage.
2011-09-21 09:16:34 -04:00
Chris PeBenito
f9145eae44
Add role attributes to dhcpc.
2011-09-21 08:27:37 -04:00
Chris PeBenito
66e03ec8b2
Module version bump for LDAPS patch. Move a line.
2011-08-24 09:38:58 -04:00
Chris PeBenito
12904f9fe8
Module version bump for dhcp client patch from Sven Vermeulen.
2011-08-24 09:15:33 -04:00
Sven Vermeulen
4976982e85
Allow dhcp client to update kernel routing table plus context updates
...
This small patch updates the dhcpc_t (DHCP client domain) to allow updating the
kernel's routing tables (as that is a primary purpose of a DHCP client) as well
as interact with the kernel through the net_sysctls.
Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context
definition as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:13:33 -04:00
Chris PeBenito
aa4dad379b
Module version bump for release.
2011-07-26 08:11:01 -04:00
Chris PeBenito
86460648a6
Sysnetwork patch from Miroslav Grepl.
...
* adds support for "ip xfrm" command which allows assign a context
2011-03-21 09:48:05 -04:00
Chris PeBenito
8103e7c1f4
Module version bump for sysnetwork interface from Guido Trentalancia.
2011-02-28 09:35:02 -05:00
Chris PeBenito
bca0cdb86e
Remove duplicate/redundant rules, from Russell Coker.
2010-07-07 08:41:20 -04:00
Chris PeBenito
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
Chris PeBenito
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
Chris PeBenito
1fa92b8a55
Sysnetwork patch from Dan Walsh.
2010-03-18 15:40:04 -04:00
Chris PeBenito
aadcb968f9
Move netlink route sockets from nsswitch to DNS name resolve.
2010-02-17 20:28:59 -05:00
Chris PeBenito
c3c753f786
Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users.
2010-02-11 14:20:10 -05:00
Chris PeBenito
7d2f96783c
Module version number bump for 1031ee6
.
2010-02-08 13:37:42 -05:00
Chris PeBenito
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00
Chris PeBenito
d69616c625
fix ordering in sysnetwork.
2009-08-05 10:23:50 -04:00
Chris PeBenito
3f67f722bb
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
Chris PeBenito
26410ddf54
trunk: remove unnecessary semicolons after interface/template calls.
2009-06-19 13:52:33 +00:00
Chris PeBenito
c1262146e0
trunk: Remove node definitions and change node usage to generic nodes.
2009-01-09 19:48:02 +00:00
Chris PeBenito
668b3093ff
trunk: change network interface access from all to generic network interfaces.
2009-01-06 20:24:10 +00:00
Chris PeBenito
17ec8c1f84
trunk: bump module versions for release.
2008-12-10 19:38:10 +00:00
Chris PeBenito
296273a719
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
Chris PeBenito
2cca6b79b4
trunk: remove redundant shared lib calls.
2008-10-17 17:31:04 +00:00
Chris PeBenito
2a98379a24
trunk: additional whitespace fixes.
2008-10-17 15:52:39 +00:00
Chris PeBenito
0b36a2146e
trunk: Enable open permission checks policy capability.
2008-10-16 16:09:20 +00:00
Chris PeBenito
5d4f4b5375
trunk: bump version numbers for release.
2008-10-14 15:46:36 +00:00
Chris PeBenito
e0ed765c0e
trunk: 3 patches from the fedora policy, cherry picked by David Hardeman.
2008-08-11 14:03:36 +00:00
Chris PeBenito
cfcf5004e5
trunk: bump versions for release.
2008-07-02 14:07:57 +00:00
Chris PeBenito
e9c6cda7da
trunk: Move user roles into individual modules.
2008-04-29 13:58:34 +00:00
Chris PeBenito
0a14f3ae09
trunk: bump module version numbers for release.
2008-04-02 16:04:43 +00:00
Chris PeBenito
e828954c63
trunk: 4 patches from dan.
2008-03-27 15:20:16 +00:00
Chris PeBenito
2ed4f5aedf
trunk: small fixes for gentoo system.
2008-03-20 14:55:17 +00:00
Chris PeBenito
12cf805e1c
trunk: add basic ubuntu support
2008-02-05 18:24:43 +00:00
Chris PeBenito
f7925f25f7
trunk: bump module versions for release.
2007-12-14 14:23:18 +00:00
Chris PeBenito
02d968c581
trunk: several fc updates from dan.
2007-12-12 15:55:21 +00:00
Chris PeBenito
bd973e3e68
trunk: remove unused types from dbus.
2007-10-26 18:04:38 +00:00
Chris PeBenito
12e9ea1ae3
trunk: module version bumps for previous commit.
2007-10-02 17:15:07 +00:00
Chris PeBenito
350b6ab767
trunk: merge strict and targeted policies. merge shlib_t into lib_t.
2007-10-02 16:04:50 +00:00
Chris PeBenito
116c1da330
trunk: update module version numbers for release.
2007-06-29 14:48:13 +00:00